This is an automated email from the ASF dual-hosted git repository.
dbarnes pushed a commit to branch support/1.15
in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/support/1.15 by this push:
new ececd27a03 GEODE-10389: Document upgrade to Geode 1.15 with SSL
protocol workaround (#7812)
ececd27a03 is described below
commit ececd27a039dc7dd1eb836d09532995782486869
Author: Dave Barnes <[email protected]>
AuthorDate: Fri Jun 17 11:59:07 2022 -0700
GEODE-10389: Document upgrade to Geode 1.15 with SSL protocol workaround
(#7812)
---
.../upgrade/upgrade_overview.html.md.erb | 50 ++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/geode-docs/getting_started/upgrade/upgrade_overview.html.md.erb
b/geode-docs/getting_started/upgrade/upgrade_overview.html.md.erb
index cfecad3fac..899da9bc5f 100644
--- a/geode-docs/getting_started/upgrade/upgrade_overview.html.md.erb
+++ b/geode-docs/getting_started/upgrade/upgrade_overview.html.md.erb
@@ -54,3 +54,53 @@ you will need to accomplish the upgrade. Then select the
appropriate upgrade pro
- **[Upgrading Clients](upgrade_clients.html)**
+ When you upgrade your <%=vars.product_name%> server software, you may need
to update your client
+ applications in order to maintain compatibility with the upgraded servers.
+
+## <a id="upgrade_to_115" class="no-quick-link"></a>Upgrading to v1.15
+
+For some users, issues regarding SSL protocols and their default values
require a preparatory SSL protocol migration step when upgrading to
<%=vars.product_name%> v1.15.
+Please read the following section carefully to determine whether your system
requires this additional SSL protocol migration step.
+
+### <a id="is_ssl_protocol_migration_required" class="no-quick-link"></a>Does
my System Require SSL Protocol Migration Before Upgrading to
<%=vars.product_name%> v1.15?
+
+To determine whether your system requires the SSL protocol migration
preparatory step, see if your system meets both of the following conditions:
+
+- If `ssl-endpoint-identification-enabled` is set to `true` AND<br/>
+- If `ssl-protocols` is set to a value other than "any", that is, it specifies
a list of specific protocols, but does not include "SSLv2Hello",
+
+THEN your system requires the SSL protocol migration step.
+
+**How do I determine my system's settings for the
`ssl-endpoint-identification-enabled` and `ssl-protocols` properties?**
+
+SSL properties may be set in properties files or on the gfsh command line. To
determine the settings for these parameters,
+
+- Check `gemfire.properties` and `gfsecurity.properties` for
+`ssl-endpoint-identification-enabled=true`. Also look for
`ssl-use-default-context=true`, which sets
+`ssl-endpoint-identification-enabled=true`.
+
+- Search system logs for these properties (using `grep`, for example).
+
+## <a id="preparatory-migration" class="no-quick-link"></a>Preparatory SSL
Protocol Migration
+
+The preparatory SSL protocol migration process consists of replacing one
property, `ssl-protocols`,
+with two new properties, `ssl-client-protocols` and `ssl-server-protocols`,
then removing the old
+`ssl-protocols` definition. Perform this substitution in whatever way the
original `ssl-protocols`
+were defined: in `.properties` files or on a command line.
+
+1. If your system is running JDK 8, upgrade to the latest version of JDK 8
before proceeding. This is necessary, even if you plan to
+perform the optional JDK upgrade step to JDK 11 or JDK 17.
+1. Shutdown a member (server or locator).
+2. Install <%=vars.product_name%> 1.15.
+3. Optionally install a new Java JDK.
+4. Add security property `ssl-client-protocols` with the same definition as
the old `ssl-protocols` property.
+5. Add security property `ssl-server-protocols` with the same definition as
the old `ssl-protocols` property PLUS "SSLv2Hello".
+For example, if the original value of `ssl-protocols` is "TLSv1.2", then define
+ - `ssl-client-protocols="TLSv1.2"`
+ - `ssl-server-protocols="TLSv1.2,SSLv2Hello"`
+6. Start the member.
+7. Verify successful cluster join.
+8. Repeat from step 1 for the next member.
+
+Optionally, after your upgrade is complete, you may restore your original
`ssl-protocols` property
+and restart all your members to eliminate the `SSLv2Hello` protocol support.
